WordPress and SSL: a minor nightmare in the making

A few days ago, I turned on SSL for a particular website for a client. This involved the following steps:

Installing (or mostly turning on) the wildcard SSL certificate for the domain using the SSL/TLS Manager in the SiteGround cPanel, a most painless process, I assure you.

Turning on https in the WordPress settings > general

Add the relevant htaccess redirect code to access the site only via https (302 only, NOT 301)

This was a breeze, and everything worked as expected, but I need to setup something more advanced, and thats when my minor nightmare started 🙂

The fun begins

I wanted to have access via both http and https, so I removed the global htaccess redirect rule. At this point, I should have been able to access the site using both http and https. But try as I might, I could access the site using http. As soon as I would enter http, it would load the https site. First I thought it might be some issue at my end, so cleared cache umpteen times, flushed DNS, tried from multiple browsers and then other devices, and then via VPN… but always the https site was loading. It took me a bit of time to figure out that there was a redirect happening from the server. Browser developer tools > network immediately showed me that a 301 redirect was happening. First I suspected that the htaccess redirect rule I had added earlier was cached somewhere, but then I realized that I had added a 302 rule, not a 301 rule, so that could not be culprit. So I reached out to the excellent SiteGround support via chat to ask for help and they said the redirect is occurring because of #2 above (Turning on https in the WordPress settings > general). This was not according to my understanding or knowledge. So I looked through the SG knowledge base, and found the relevant article explaining how to set up SSL for WP. It matched what I was saying, and contradicted what the support personnel had said.

Step 1: Configure WordPress to work through https

Log into your WordPress site as administrator, go to Settings -> General and in the field ‘WordPress Address (URL):’ change the ‘http://’ to ‘https://’. Once you do this your visitors will be able to access your website both with and without SSL.

I also looked through the WordPress codex on this topic, HTTPS for WordPress, and this was also clearly stating that “The HTTP URL, will however work normally in parallel as both ports are different.”

But the SiteGround personnel insisted the redirect was occurring because of this.

Experimental Setup

So to test what was happening, I decided to carry out my own experiments. I setup two more sites using LetsEncrypt SSL certificates.

First site: I did not make any changes to WordPress settings > general

Second site: I changed http to https in the WordPress settings, to exactly mirror the previous setup with which I was having a problem

Findings

Both setups gave expected results.

#1: I could access the site using http and https. All the links on the http page are http, while the links on the https page are https. This makes perfect sense.

#2. I could access the site using http and https. All the links on the http page are HTTPS, while the links on the https page are https. This also kind of makes sense coz I set the address to https in the backend, hence all links should be https by default even on the http page. Lets see this in the screenshots below:

Http site loading fine

Https site loading fine

When adding a new page it showed the link as http

But links on the page are https

The test page is correctly https

Even the image is https

Certificate details

Backend login is also https

So at this point it was clear that my understanding was correct, and indeed the second site was accessible both via http and https. But what in the world was going on with the client site? Why was it redirecting?

More discussions with SG support

So once again I went back to SG support, this time via a ticket, rather than chat, and explained to them all these findings in detail. Pat came the reply from a support personnel:

I investigated the issue and was able to resolve it by disabling the Redirection plugin as well as modifying the URL in the website database to load via http

This was an unexpected reply. Even after providing so much of detailed info, the solution being proposed was contrary to what my findings were and their own KB article, and same as what was proposed in the chat. I reverted. Another reply a while later:

I modified the URL in the website database to load via https as it was initially. The reason for the issue to occur is due to the Redirection plugin which is installed on the peoplekonnect.co.in installation and not on the other ones. Currently your website is accessible both via http and https

Unfortunately, not true. The 301 redirect was STILL happening.

By now I was starting to get a bit cheesed with them, so I sent them this detailed graphic, which hopefully would be self-explanatory.

Shortly after that came another reply from a different support personnel:

I managed to get this fixed by updating WP_HOME from HTTPS to HTTP.

Ah. Hahahahahaha. This was the pits. So much of back and forth and once again the discussion has been rebooted. Again I reverted, and finally I got an explanation of whats going on. I dont know if this is correct, but its one explanation that fits.

The reason for why the redirect occurs after you update the home and site URL in database is that Wildcard works differently than Let’s Encrypt.

Since these are two different certificates from two authorities the ways they handle HTTPS requests are different too.